b'                           OFFICE OF THE INSPECTOR GENERAL\n                           CORPORATION FOR NATIONAL AND\n                                 COMMUNITY SERVICE\n\n\n\n\n                                         Review of\n                    The Corporation for National and Community Service\'s\n                            Network and Computer Security Plan\n\n                                 OIG Audit Report Number 01-34\n                                      December 11,2000\n\n\n\n\n                                              Prepared by:\n\n                                           KPMG, LLP\n                                        2001 M Street, NW\n                                       Washington, DC 20036\n\n                         Under Corporation for National and Community Service\n                                     Office of the Inspector General\n                                    Purchase Order # 200008020002\n                        General Services Administration Contract # GS-23F-8 127H\n\n\n\n\nThis report was issued to Corporation management on May 7, 2001. Under the laws and regulations\ngoverning audit follow up, the Corporation must make final management decisions on the report\'s findings\nand recommendations no later than November 5, 2001, and complete its corrective actions by May 7,2002.\nConsequently, the reported findings do not necessarily represent the final resolution of the issues presented.\n\x0c                                                                                  CORPORATlON\n                           Office of Inspector General\n                 Corporation for National and Community Service                   FOR NATIONAL\n\n                                                                                   SERVICE\n         Review of the Corporation for National and Community Service\'s\n                       Network and Computer Security Plan\n                         OIG Audit Report Number 01-34\n\n\nOMB Circular A- 130, "Management of Federal Information Resources," requires that\nFederal agencies implement and maintain adequate security over information,\ninformation systems, and major applications. The Corporation\'s Network and Computer\nSecurity Plan includes a description of the Corporation\'s computer systems, the major\napplications, and the security and control procedures in place.\n\nCNS OIG engaged KPMG, LLP to review the plan and to assess the effectiveness of the\nsecurity policies and procedures. Their report concludes that the Corporation has met the\nrequirements of the Circular with two exceptions for which this report includes\nrecommendations for corrective action. CNS OIG reviewed the report, with which we\nconcur, the work papers supporting its conclusions, and the Corporation\'s response to the\nreport.\n\nIn its response, the Corporation agreed with KPMG\'s recommendation for the first\nfinding which was to include a summary of the Security Plan in the Corporation\'s\nStrategic Information Risk Management Plan as required by Circular A-130. However,\nthe Corporation did not agree with the KPMG\'s second finding - that there is no separate,\nspecific management authorization for the Internet connection to the Corporation LAN.\nKPMG did not change the report because CNS failed to provide documentation on this\nmatter either during the audit or as part of the response to the report.\n\n\n\n\n                                                                               Inspector General\n                                                                               1201 New York Avenue, NW\n                                                                               Washington, DC 20525\n\x0c                                             Review of the\n                           Corporation for National and Community Service\'s\n                                 Network and Computer Security Plan\n                                           Table of Contents\n\n\n\n\nRESULTS IN BRIEF .......................................................................................................... 1\n\nPROJECT OBJECTIVES .................................................................................................... 1\n\nMETHODOLOGY ................................................................................................................. 2\n\nSUMMARY OF NOTIFICATION OF FINDINGS ..................................................................... 3\n\nNEW INFORMATION SECURITY LEGISLATION .................................................................3\n\nAPPENDIX A .NOTIFICATION OF FINDINGS .................................................................A- 1\n\nAPPENDIX B .LIST OF DOCUMENTS REVIEWED ........................................................ B- 1\n\nAPPENDIX C .CORPORATION RESPONSES TO THE DRAFT .........................................                                  C- 1\n\x0c               2001 M Street, N.W.                                           Telephone 202 467 3000\n               Washington, D.C. 20036                                        Fax 202 833 1350\n\n\n\n\nDecember 11.2000\n\nInspector General\nCorporation for National and Community Service:\n\nAt your request, KPMG, LLP (KPMG) performed a Network Security Review on the\nCorporation for National Service (the Corporation). The primary purpose of this review was\nto:\n\n    -   review the current network security plan and\n    -   to assess the effectiveness of computer security policy and procedures\n\n\nResults in Brief\n\nAt the time of the assessment, the Corporation met the requirements of OMB Circular A-1 30,\nManagement of Federal Information Resources, with two exceptions:\n\n   -    A summary of the Security Plan was not incorporated in the recent Corporation\n        Information Management Strategic Plan dated October 19,2000; and\n\n   -    There was no document that specifically gave management authorization for\n        interconnection of the Corporation LAN to the Internet.\n\nNeither of these findings has a direct operational impact on information security. But it is\nrecommended that both of these findings be corrected, because they are good management\npractices and are required by OMB Circular A- 130.\n\nProject Objectives\n\nThe objective of this project was to assess the effectiveness of the network and computer\nsecurity policies and procedures at the Corporation for National and Community Service (the\nCorporation) through a review of the Corporation\'s compliance with OMB Circular A-130,\nManagement of Federal Information Resources. A review was conducted of policies and\nprocedures, as documented in the Corporation\'s Security Plan, and an assessment was\nperformed of their effectiveness.\n\n\n\n\n                                           Page 1\n\x0cMethodology\n\nThe project included an assessment of the Network Security Plan using OMB Circular A-130\nas guidance. OMB Circular A-130 is applicable to all agencies where "the term \'agency\'\nmeans any executive department, military department, government corporation, government\ncontrolled corporation, or other establishment in the executive branch of the Federal\ngovernment, or any independent regulatory agency", OMB Circular A- 130, Section 6.\n\nThis review was conducted in three phases. Phase I, the assessment phase, was designed to\nensure the existence of documentation that supports OMB Circular A-1 30 criteria. A list of\ndocumentation reviewed during this phase is included in Appendix B.\n\nPhase I1 entailed verification of the accuracy of the statements made in the documentation\nreceived in Phase I. This verification was accomplished through reviews of relevant\ndocumentation and interviews with Corporation personnel.\n\nPhase I11 consisted of the development of a formal report of the review\'s findings. As the\nproject team identified findings, they were discussed with the Corporation and the OIG.\nThese findings are documented in the form of Notices of Findings (NOF) and are issued to the\nOIG and the Corporation as attachments to this report.\n\nIn addition, a Vulnerability and Penetration Assessment was performed on the Corporation\'s\nexternal and internal networks. More specifically, we attempted to simulate a number of\nsecurity penetration scenarios, which included the following categories of potential system\n"abusers":\n\n       -   an "outsider" with no information about the organization\'s EDP environment\n\n       -   an "outsider" with limited information about the organization\'s EDP environment\n\n       -   an "insider" with limited knowledge about the EDP environment\n\n       -   an "insider" with standard client application programmer access to the EDP\n           environment resources.\n\nOur procedures were performed in accordance with Government Auditing Standards for\nperformance audits as issued by the Comptroller General of the United States.\n\n\n\n\n                                          Page 2\n\x0c ma\nSummary of Notification of Findings\n\nA total of two Notification of Findings (NOFs) were issued during the course of the project.\nThe table below contains a synopsis of the findings and the recommendations documented in\neach NOF located in Appendix A.\n\n\n    Finding                                         Recommendation\n\n    A summary of Security Plans is not              Incorporate Information Security\n    incorporated in the Corporation\'s Information   Planning into the Corporation\'s\n    Management Strategic Plan dated October 19      overall Information Resource\n    2000 as required by OMB Circular A- 130.        Management Planning.\n\n    There is a formal Corporation policy (#375)     Perform a risk analysis for\n    for use of the Internet that is signed by the   interconnection of the Corporation\n    Chief Operating Officer, but there is no        LAN to the Internet, and obtain\n    document that specifically gives management     specific formal management approval\n    authorization for interconnection of the        and acceptance of the risks of\n    Corporation LAN to the Internet as required     interconnection of the Corporation\n    by OMB Circular A-130.                          LAN to the Internet.\n\n\nNew Information Security Legislation\n\nAlthough, at the time of the assessment the Corporation generally met the criteria of OMB\nCircular A-1 30, new information security legislation, the Government Information Security\nReform Act (GISRA), has been enacted that sets a much higher documentation standard than\nhad previously existed. The legislation includes requirements that will impose additional\ntypes of workload burdens, such as annual evaluations. It is also anticipated that OMB\nCircular A-130, which formed the basis for this review, will be greatly modified in the near\nfuture to meet the GISRA requirements. An early start on meeting the new requirements is\nhighly recommended.\n\nThe Fiscal Year 2001 National Defense Authorization Act became Public Law 106-398 on\nOctober 30,2000. Title X, Subtitle G of the Act is Government Information Security Reform\nAct (GISRA). Even though it is part of the Defense Authorization Act, Subtitle G\'s\nprovisions affect all agencies of the Federal Government. It is effective as of November 30,\n2000, and expires in two years. The legislation recognizes the highly networked nature of the\nFederal computing environment and the need for Federal Government interoperability. It\nseeks to establish a comprehensive framework for information security and to make it an\nintegral component of each agency\'s business operations.\n\n\n\n\n                                          Page 3\n\x0cNew provisions of the legislation call for each agency to:\n             Have an agency-wide information security architecture\n      -      Have an information security plan for the life cycle of each agency system\n      -      Perform an annual self evaluation of information security controls and\n             techniques\n      -      Have an annual audit of the Information Security evaluation by the IG\n      -      Provide an annual report of the results of each evaluation and audit to OMB\n\nProcedural guidance from OMB and National Institute of Standards and Technology (NIST)\nmay not come until early 2001. But, implementation of GISRA must proceed soon, to be\nfollowed by a self-evaluation of the implementation, an audit of the evaluation by the IG and\na report by the agency head to OMB. All must be accomplished before the legislated deadline\nof October 30,200 1.\n\nA modified OMB Circular A-130 to implement GISRA will be forthcoming, and will likely\nincorporate the Security Assessment Framework developed by the CIO Council and NIST.\nThe CIO - NIST Information Technology Security Assessment Framework seems to establish\na more stringent requirement for comprehensive documentation than currently exists.\n\n\n\n\n    This report is intended solely for the information and use of the Office of the Inspector\n    General, the management of the Corporation for National and Community Service, and the\n    United States Congress and is not intended to be and should not be used by anyone other than\n    these specified parties.\n\n\n\n\nL   partner, &MG, LLP\n\n\n\n\n                                             Page 4\n\x0c                         Notification of Findings                            Appendix A\n\nNotification of Finding: Missing summary of the Corporation Security Plans.\n\nCondition:            The recently issued Information Management Strategic Plan, dated\n                      October 2000, does not contain a summary of the Corporation security\n                      plans. (See Binder C, WP #3 100, Page 2 of 10)\n\n\nCriteria:             OMB Circular A-130 requires that "A summary of the security plans\n                      shall be incorporated into the strategic IRM plan."\n\n\nCause:                Given the overall level of attention that has been paid to information\n                      security, this appears to be an oversight, and not necessarily indicative\n                      of a low resource allocation priority.\n\n\nEffect:               The intent of the requirement is to ensure that Information Security is\n                      considered during the agency\'s strategic resource planning and\n                      prioritization process. Allocation of sufficient resources to ensure an\n                      effective information security program may not otherwise occur.\n\n\nRecommendation:       Information security should be routinely incorporated into the\n                      Corporation\'s annual strategic resource allocation and prioritization\n                      processes. This fiscal year, it is recommended that the Corporation use\n                      the updated security plans being developed in conjunction with re-\n                      accreditation of all Corporation systems, to provide the basis for\n                      incorporation of information security into the overall Information\n                      Management Strategic Plan dated October 2000. This should be more\n                      than just a documentation change, and ought to be accomplished in\n                      sufficient time to ensure that information security requirements are\n                      appropriately considered during the next budget cycle.\n\nManagement Response:\n\nThis finding was discussed with Corporation Management on December 14,2000. The\nCorporation did not express major disagreement but said that it intends to provide its formal\nresponse on any issues related to the finding in its comments on the draft report.\n\n\n\n\n                                         Page A-1\n\x0c                                                                         Appendix A\n\n                                Notification of Findings\n\nNotification of Finding: Missing management authorization for the Internet connection\nto the Corporation LAN.\n\nCondition:          There is no separate, specific management authorization for the Internet\n                    connection to the Corporation LAN. (See Binder C, WP #3 100, Page 5\n                    of 10)\n\n\nCriteria:           OMB Circular A- 130 requires that there be written management\n                    authorization for interconnection to other systems.\n\n\nCause:              Corporation Policy Number 375 is signed by the Chief Operating\n                    Officer and establishes rules for Internet and e-mail access control and\n                    acceptable use. This formal policy statement indirectly indicates that\n                    Corporation management approves in general of having the Internet\n                    connection, but is not a clear statement that management understands\n                    and accepts the risks inherent in the Internet connection. Acceptance of\n                    responsibility for taking the business risks associated with interconnection\n                    to the Internet should clearly be done by Corporation top management.\n\n\nEffect:             The formal acceptance by management of the risks of any\n                    interconnection to other systems is the intent of the OMB Circular A-\n                    130 requirement. Connection to the Internet, particularly, has many\n                    inherent risks. Without management understanding of the potential for\n                    the loss of information assets or for harm to critical business processes,\n                    inappropriate levels of business risk may be taken or insufficient\n                    resource allocations made to ensure an effective security program.\n\n\nRecommendation:      Although Corporation management has given a tacit approval of\n                    connection to the Internet; a risk assessment for the interconnection of\n                    the Corporation LAN with the Internet should be done. The risk\n                    assessment need not be done from scratch. Valuable insight into the\n                    extent and nature of the risks may be gained from the various audits\n                    and evaluations of Corporation security that are underway. Once the\n                    risk assessment is completed, it should be used in conjunction with the\n                    updated LAN security plan as the basis for specific management\n                    authorization of the Internet interconnection.\n\n\n                                       Page A-2\n\x0c                                                                         Appendix A\n\n\n                                  Notification of Findings\n\nManagement Response:\n\nThis finding was discussed with Corporation Management on December 14,2000. The\nCorporation did not express major disagreement but said that it intends to provide its formal\nresponse on any issues related to the finding in its comments on the draft report.\n\n\n\n\n                                         Page A-3\n\x0c                    List of Documents Reviewed                        Appendix B\n\nCNS Policy #375      Internet an E-mail Access and Acceptable Use   August 23, 1999\nCNS Policy #376      Network and Computer Security                  November 7,2000\nCNS Policy #377      Computer Property Management                   February 17,2000\nCNS Policy #378      Structured System Development Life Cycle       April 27, 2000\n                      Methodology\nCNS Policy #400      Visitor Procedures for Computer Room 63 16     August 22,2000\nCNS Policy #401      Procedural Guidelines for Disabled and         October 13, 2000\n                      Locked Out Accounts\nCNS Policy #402      Approving Authority Signatures                 August 24,2000\nCNS Policy #50 1     Safeguarding Sensitive Information             September 2 1, 1999\n                      and Documents\nCNS Plan             Information Management Strategic Plan          October 19, 2000\nCNS Plan             Network Computer Security Plan                 October 2000\nCNS Plan             CNS-LAN Security Plan                          July 1997\nCNS Plan             CNS-LAN Contingency Plan                       July 1997\nCNS Plan             CNS Disaster Recovery Plan                     undated, 2000\nCNS Report           CNS-LAN Security Controls Review Report        July 1997\nCNS Report           CNS-LAN Risk Analysis Report                   July 1997\nCNS Accreditation    Accreditation Package for CNS-LAN              August 15, 1997\nCNS Procedure        Corporation Network Account Creation,          undated, 2000\n                       Modification and Deletion Procedure\nCNS Procedure        Corporation Windows NT Server                  undated, 2000\n                       Standard Configuration\nCNS Procedure        Corporation Standard Client Configuration      undated, 2000\nCNS Procedure        Corporation Backup Schedule                    undated, 2000\nCNS Procedure        Corporation Network Maintenance Schedule       undated, 2000\nCNS Procedure        2000 Annual Information Systems Security       undated, 2000\n                       Awareness Training document\nCNS Procedure        CNS Computer Incident Response Guidelines      undated, 2000\nCNS Procedure        Help Desk Frequently Asked Questions (FAQ)     undated, 2000\nCNS Document         Segregation of Duties                          undated, 2000\n\n\n\n\n                                          Page B-1\n\x0c                                                                                   Appendix C\n                                                                                 -----\n                                                                                 CORPORATION\n\n                                                                                 FOR h 4 T I O N A I .\n\n\n\n\nMarch 30. 2001\n\nThe Honorable Luise Jordan,\nInspector General\nCorporation for National and\n  Con~munityService\nDear Ms. Jordan:\n\n        The Corporation has reviewed the draft report Review of [he Corporation for Nutional and\nComn~unityService \'s Network and Computer Secliriry PIon (OIG Audit Report 0 1-34, dated December\n1 1, 2000). The purpose of KPMG\'s work was to review the Corporation\'s network security plan and\nassess the effectiveness of computer sccurity policy and procedures. The procedures performed by\nKPMG included sophisticated attempts to penetrate the Corporalion\'s systems as both an "outside"\nhacker and an "insider." We note with satisfaction that KPMG failed to circumvent the Corporation\'s\nsecurity policies and procedures and that it was unsuccessful in its attempts to penetrate the\nCorporation\'s systems.\n\n        The Corporation is also pleased that, while not explicitly stated, KPMG concluded that the\nCorporation\'s network security plan and computer security policy and procedures are effective and\nefficient. The Corporation has taken the security of its computer resources very seriously and will\ncontinue to do so. To this end, the Corporation routinely tests and monitors its systems and contracts\nwith independent EDP consultants to review and test its systems. We also rely on the testing and\nreview that was performed by KPMG on behalf of the Office of the Inspector General and discussed in\nthis report.\n\n       The report cites two minor instances where KPMG feels that the Corporation could have better\ndocumentation. In the first instance, KPMG recommends that a summary of the Corporation\'s\nSecurity Plan be incorporated into the Corporation\'s Information Management Strategic Plan. While\nwe do not agree that this is necessary given the Corporation\'s EDP operating environment, the\nCorporation will include a summary of the Security Plan in the Strategic Plan.\n\n                                                                                       1201 New York Avenue. HW\n                                                                                            Wash~nyon.DC 20521\n                                                                                           Telephone 202.606-jm\n\n\n\n\n                                              Page C-1\n\x0c                                                                                      Appendix C\n\n\n\n\n       For se\\.eral years prior to senior management making this decision, the Office of Information\nTechnology (OIT)maintained two separate networks, one serviced the internal business needs and the\nother was solely for Internet access. As technology changed, the need for easier access to the resources\navailable on the Internet grew. Once technology and monitoring tools became sophisticated enough to\nenable acceptable protection from external threats, management included the necessary funding in the\nOIT budget for firewall technology and systems monitoring tools to allow the interconnection to the\nInternet. The initial risk assessment process culminated when the Chief Operating Officer signed the\nCorporation\'s policy on e-rnail access controls and use of the Internet.\n\n        Internet access has become an integral part of the Corporation\'s network and is regularly\nassessed by both staff and independent EDP consultants for security vulnerabilities. For example, as\npart of the recent re-accreditation of the Corporation\'s network, independent EDP consultants\nperformed a risk assessment of the entire network including the connection with the Internet. This\naccreditation was also reviewed and approved by senior management. Thus, the Corporation believes\nthat to do additional risk assessments, beyond what has been and is regularly done, would be an\ninefficient use of its resources.\n\n\n\n        Finally, the Corporation would like to express its appreciation for the work of KPMG\'s staff\nand their flexibility to work around the other pressing responsibilities of the Corporation staff.\n\n                                              Sincerely,\n\n\n\n                                              David Spevacek\n                                              Chief Information Oficer\n\ncc:     Wendy Zenker\n        Bill Anderson\n\n\n\n\n                                               Page C-2\n\x0c'